Point Obfuscation and 3-round Zero-Knowledge

Transcription

1 Point Obfuscation and 3-round Zero-Knowledge Nir Bitansky and Omer Paneth Tel Aviv University and Boston University September 21, 2011 Abstract We construct 3-round proofs and arguments with negligible soundness error satisfying two relaxed notions of zero-knowledge: Weak ZK and witness hiding (WH). At the heart of our constructions lie new techniques based on point obfuscation with auxiliary input (AIPO). It is known that such protocols cannot be proven secure using black-box reductions (or simulation). Our constructions circumvent these lower bounds, utilizing AIPO (and extensions) as the non-black-box component in the security reduction. We also investigate the relation between AIPO and the assumptions previously used to achieve 3-round ZK. This research was funded by the Check Point Institute for Information Security. 1

2 Contents 1 Introduction Our Contribution Reflections on the Use of Point Obfuscation Definitions and Tools Weak Zero-Knowledge and Witness Hiding Message Delegation Remarks on Definition Point Obfuscation with Auxiliary Input Digital Lockers and Circular Digital Lockers round WH Overview of the Protocol Soundness Overview of the proof Proof of Theorem soundness Witness Hiding Overview of the proof Proof of Theorem witness hiding From an Argument to a Proof round WZK Overview of the Protocol Soundness Overview of the proof Proof of Theorem soundness Weak Zero-Knowledge Overview of the proof Proof of Theorem weak zero-knowledge Acknowledgements 23 References 24

3 1 Introduction Interactive proofs (IP s) and arguments (IA s) [GMR85, BCC88] are fundamental notions in the theory of computation. In cryptography, these are typically used to prove NP-statements, and the proof is required to maintain the prover s privacy. Different notions of privacy were considered, the most comprehensive one being zero-knowledge (ZK). ZK protocols allow proving an assertion without revealing anything but its validity. That is, the information on a valid statement learned by the verifier from the interaction can be simulated only from the statement itself. Since ZK was introduced [GMR85], questions regarding the round complexity of ZK protocols were studied extensively. While it is known that 2-round ZK protocols (with auxiliary input) for languages outside BPP do not exist [GO94], a classical open question is whether there exist 3-round ZK protocols for NP with negligible soundness error. The difficulty of this problem is exemplified by the lower bound of [GK96]: There do not exist 3-round black-box ZK (BBZK) protocols with negligible soundness for languages outside BPP (in BBZK the simulator only has black-box access to the verifier). Namely, to prove that a 3-round protocol is ZK, one must demonstrate a non-black-box simulator. The work of [Bar01] shows that using non-black-box simulation it is possible to go beyond existing black-box bounds. However, so far we do not know how to use similar techniques to obtain 3-round ZK protocols. Nevertheless, 3-round ZK protocols have been constructed based on non-standard knowledge assumptions. [HT98, BP04] show a 3-round ZK argument based on the knowledge of exponent assumption (KEA) and variants of it. A different knowledge assumption was used to show the existence of 3-round ZK proofs for NP [LM01]. (See further discussion in Section 1.2.) In light of the difficulties in achieving 3-round ZK, it is natural to examine relaxations of ZK that might enable the construction of such protocols. We discuss several previously studied relaxations. Witness indistinguishability (WI). A protocol is WI [FS90] if any two proofs for the same statement that use two different witnesses are indistinguishable. [FS90] show that, while the parallel repetition of basic (3-round) ZK protocols is not BBZK, it is WI. Furthermore, the soundness error decreases exponentially in the number of repetitions. However, WI protocols do not always guarantee witness secrecy; in particular, for statements with a unique NP-witness WI is meaningless. Nevertheless, [FS90] show how to use WI to achieve other notions of secrecy such as ZK and witness-hiding (WH). Witness hiding. Roughly speaking, a protocol is WH [FS90] w.r.t a distribution D on an NP-language L if no verifier can extract a witness from its interaction with the honest prover on a common instance x D. For WH to be meaningful, it should be restricted to hard distributions; namely distributions D for which poly-size circuits cannot find a witness w R L (x) for instances x D. WH is in a sense a minimal notion of privacy; indeed, leaking the entire witness does not leave much room for imagination. [FS90] present a 3-round protocol with negligible soundness error that is only WH w.r.t a specific type of (hard) distributions on languages where every instance has two witnesses. In contrast, extending the lower bounds of [GK96], [HRS09] show that for distributions with unique witnesses, 3-round WH can not be black-box reduced to any standard cryptographic assumption (e.g. existence of OWFs), under some natural limitations on the reduction. In this work, we are interested in protocols that are WH w.r.t all hard distributions (including the unique witness case). We remark that constructing WH protocols for restricted classes of distributions, where a lower bound on their hardness is apriori known, is a relatively easy task (and is not ruled out by [HRS09]). Indeed, using super-polynomial black-box reductions, it is possible to obtain 3-round WH protocols w.r.t to super-polynomial hard distributions. (For example, f(n) = ω(log n) parallel repetitions of a basic 3-round ZK protocol with constant soundness error, such as Blum, is WH w.r.t distributions that are hard for 2 f(n) -size adversaries.) Typical cryptographic scenarios, however, do call for secrecy w.r.t general languages/distributions where no apriori super-poly hardness bound is known at the protocol s design time. Here, efficient reductions requiring non-black-box techniques are needed. 1

4 Weak zero-knowledge. The standard notion of ZK requires that for any (potentially adversarial) verifier there exist a simulator that simulates its view in an interaction with the honest prover. The simulated view should be indistinguishable from the real one by any (efficient) distinguisher. The notion of WZK [DNRS99] weakens ZK by changing the order of quantifiers. Specifically, it allows the ZK simulator to depend on the particular distinguisher in question. While ZK is often used as a sub-protocol in larger systems, WZK is not always suitable for this purpose due to its weaker simulation guarantee. In particular, WZK is not known to be closed under sequential repetition. Nevertheless, WZK is useful in settings where the verifier tries to learn a specific type of information, and we can present a distinguisher that can test whether the verifier succeeded in learning it. Examples include verifiers that try to lean a specific predicate of the witness, or any function of the witness that is efficiently verifiable. In particular, WZK implies WH (by considering a distinguisher which tests if the verifier s view contains a valid witness). We note that for black-box simulation, WZK and (standard) ZK coincide; hence, by [GK96], a 3-round protocol with negligible soundness error can not be shown to even be WZK with a black-box simulator. To sum up the above discussion, 3-round arguments with negligible soundness error, that are ZK, WH or WZK cannot be constructed using black-box techniques (from this point on, we only consider proofs arguments with negligible soundness error). In light of the existing non-black-box constructions, it is interesting to investigate which techniques and assumptions could suffice for constructing such protocols. Another interesting related question is understanding whether the relaxed notions of WH and WZK require simpler techniques than for full-fledged ZK; indeed, all existing WH constructions are based on the stronger notion of ZK as a building block. The question of finding more direct constructions of WH was already raised by [FS90]. This work sheds new light on both questions, introducing techniques based on point obfuscation. Point obfuscation (PO) and extensions. We briefly review the concept of PO. Informally, an obfuscator is a randomized algorithm O which gets as input a program C (given by a circuit) and outputs a new program O(C) that has the same functionality as the original one, but does not leak any additional information on C [BGI + 01]. A stronger variant is obfuscation with auxiliary input, in which O(C) does not leak any information even given a related auxiliary input z C [GK05]. In this work we consider obfuscation of point circuits and their extensions. A point circuit I s outputs 1 on s and on all other inputs. A multibit point circuit I s t outputs t on s and otherwise. We also consider a new extension of point circuits which we call circular point circuits. These are circuits I s t which output t on input s, s on input t, and otherwise. Obfuscators for multibit point circuits are called Digital Lockers (DL). We introduce the new notion of circular digital lockers (CDL) that are obfuscators for circular point circuits. Point circuits and their extensions are among the very few functionalities for which obfuscators have been shown; in particular there are several constructions that realize PO (and variants), under a number of strong hardness assumptions. So far, however, PO s have found only a handful of applications in cryptographic theory, mostly to strong forms of encryption [Can97, Wee05, CD08, CKVW10, BC10]. 1.1 Our Contribution We construct 3-round WH and WZK protocols based on two different variants of point obfuscation: 3-round negligible soundness WH IP for NP given auxiliary input point obfuscators that satisfy a relatively mild distributive security requirement. The protocol is WH w.r.t general hard distributions (including the unique witness case). 3-round WZK IA for NP given auxiliary input digital lockers that satisfy a worst-case simulation security requirement. 2

5 We next give an overview of our constructions, followed by a discussion on the nature of our obfuscation assumptions and how they relate to previous assumptions used for 3-round ZK protocols. 3-round witness-hiding. The high level idea behind our WH protocol is as follows. Given an NP statement x L, have the verifier V construct a modified NP verification circuit Ver y L,x that on a valid witness w R L (x) outputs a secret random point y and outputs otherwise. V then garbles this circuit using Yao s technique and both parties execute a 2-message oblivious-transfer protocol, at the end of which the prover P possesses the garbled circuit and the corresponding labels for the witness w. Next, P evaluates the circuit (on w) and obtains the point y. (This is essentially a conditional disclosure of secrets protocol, as termed by [GIKM00, AIR01], where P learns the output y only if it inputs a valid witness.) In the third message, P sends back to V a point obfuscation of y. V accepts only after verifying it got a valid obfuscation of y. Informally, soundness follows from the secrecy of the garbled circuit that prevents a dishonest prover from obtaining the random y in case there is no valid witness. In fact, we show that our protocol is a proof of knowledge. The witness-hiding property is based on the security of the underlying obfuscator. To exemplify, consider a version of the protocol where P sends back y in the clear. Following is an attack on this simple version of the protocol. Consider a cheating verifier V that instead of garbling Ver y L,x, garbles the identity circuit. P now evaluates the garbled circuit on w and obtains the point y = w. If P was to simply send back y in the clear, V would have learned w and the protocol would be completely insecure. Instead, P sends back an obfuscation O(y). The security of the obfuscator O should then assure that V can not obtain w, unless it was already known to V in advance. The security reduction and required obfuscation assumptions. As we have seen, the WH guarantee of our protocol depends on the security of the underlying point obfuscator O. We now discuss the properties of the obfuscation used to show WH. Concretely, our underlying obfuscator should satisfy a distributional indistinguishability requirement w.r.t to points and related auxiliary information that are jointly sampled from an unpredictable distribution. We say that a distribution ensemble D = {(Z n, Y n )} n N on pairs of strings is unpredictable (UPD) if poly-size circuits cannot predict (with noticeable chance) the point Y n, given the potentially related auxiliary input Z n. We say that O is a distributional auxiliary input point obfuscator (AIPO) if for any UPD D = {(Z n, Y n )}, no poly-size circuit family can distinguish, given Z n, an obfuscation of O(Y n ) from an obfuscation of a random point O(U n ). In our setting, Z n represents the common input x and the prover s first message (during the OT protocol). Y n is the obfuscated point (returned by the honest prover). That is, Z n is explicitly known to the verifier, while Y n is obfuscated. A malicious V might choose its (garbled) circuit to output illegitimate information on the witness (i.e. information it could not predict on its own only from Z n ); the obfuscation, however, should prevent it from doing so. 3-round weak zero-knowledge. The WH protocol described above is not ZK and in fact enables a cheating verifier V to learn arbitrary predicates of the witness. For example, to learn w 1, the first bit of w, V can maliciously choose its garbled circuit to map any witness w to one of two arbitrary points y 0, y 1 according to w 1. In this case, the honest prover sends an obfuscation O(y w1 ), and V learns w 1 by simply running the obfuscation on each of the two points y 0, y 1. This attack can be generalized to any function of w with output length O(log n) (using a poly-size set of strings {y i }). Towards making the protocol ZK, we try to cope with the above attack by requiring that the verifier proves it fully knows the secret point y (rather than just a poly-size set containing y). To achieve this without adding rounds, we ask that the verifier itself includes an obfuscation of y in its message. The prover then checks the obfuscation s consistency with the point extracted from the circuit evaluation. In case of inconsistency, the prover aborts. This modification, however, still does not prevent the above attack. The verifier V can learn w 1 by sending an obfuscation of the string y 0 and observing whether the prover aborts. Moreover, the protocol might no longer be sound since a cheating prover might use 3

6 the verifier s obfuscation to create an obfuscation of the same point y without knowing y. We resolve these issues as follows: (a) To regain soundness, we use an obfuscation scheme with non-malleability properties, based on an obfuscated circular point circuit (CDL). (b) To achieve WZK, we require that instead of a plain point obfuscation, the verifier sends an obfuscated multibit point circuit (DL) that on the secret input y outputs the coins used by the verifier to garble the circuit. Now the prover can verify that the garbled circuit is indeed Ver y L,x (for some y). In order to show that the protocol is WZK, we use stronger notions of obfuscation. Since WZK requires worst-case simulation (i.e. simulation for any x), we require that our obfuscators also satisfy a worst-case simulation guarantee (rather than the weaker distributive definition used for WH). To simulate any verifier V, our simulator must make use of the obfuscation simulator for V. However, an obfuscation simulator for general adversaries with long output could not exist (see [BGI + 01]); in fact, in known constructions of PO only address simulation of adversaries with a single output bit. To overcome this, we use the fact that the WZK simulator is given a specific distinguisher and it only needs to simulate the output of this distinguisher on V. Since V and the distinguisher together can be viewed as an adversary for the obfuscation that outputs a single bit, there exists an obfuscation simulator for this adversary. We show how to use this simulator to construct a WZK simulator. Indeed, this limitation on simulating adversaries with long output is the reason we do not achieve full-fledged ZK. We note that while we do not know whether our WZK protocol remains secure under sequential composition, we show that if the DL and CDL used are composable obfuscators the protocol remains WZK under parallel composition. 1.2 Reflections on the Use of Point Obfuscation The results of [GK96, HRS09] imply that our 3-round protocols can not be shown secure using reductions that only make black-box use of the adversary. This is not surprising: indeed, neither auxiliary input nor standard point obfuscators can be shown to be secure using black-box reductions [Wee05]. Hence, our use of obfuscation inherently implies that the verifier is not used as a black-box. To demonstrate the non-black-box nature of POs, we briefly review the techniques used in existing constructions [Can97, Wee05]. We can view POs as a special case of AIPOs where the auxiliary input Z n is empty. In this case, the distribution Y n is unpredictable if it is well-spread (i.e., has super-logarithmic min-entropy) and the security requirement is that O(Y n ) c O(U n ) for any well-spread Y n. The hardness assumptions made in [Can97, Wee05] are shown to imply that the strategy of any distinguisher essentially consists of a poly-size set of distinguishing elements. That is, only obfuscations of points within this set are distinguishable from an obfuscation of a random point. However, these elements can not be extracted using black-box access to the adversary. Hence, they are given to the reduction (or simulator) as non-uniform advice. These techniques allow achieving the stronger worst-case simulation definition, thus showing that the distributive and worst-case definitions are in fact equivalent in the case of no auxiliary input. When considering auxiliary input, we can no longer apply these techniques. Indeed, the set of distinguishing elements can now depend on the auxiliary input in an arbitrary way. That is, no short advice suffices for the reduction to go through. In general, we do not know whether the distributive AIPO definition implies the worst-case simulation definition in the auxiliary input case (the converse still holds). Concrete constructions. There exist very few constructions that were shown to be secure w.r.t auxiliary input. [GK05] show that any point obfuscator is also secure w.r.t auxiliary input that is chosen independently of the obfuscated point. [DKL09] suggest a construction that, under a variant of the LWE assumption, satisfies a restricted definition, where the distribution D is highly unpredictable. Both results are insufficient for our needs. In this work, we consider two concrete constructions of AIPOs based on two different assumptions. The first AIPO, known as the (r, r x ) obfuscator, was suggested by Canetti [Can97] based on a 4

7 strong variant of DDH. Informally, the assumption states that there exists an ensemble of prime order groups G = {G n : G n = p n } such that for any unpredictable distribution D = (Z n, Y n ) with support {0, 1} poly(n) Z pn : (z, r, r y ) c (z, r, r u ), where (z, y) (Z n, Y n ), u U Z pn and r is a random generator of G n 1. For the second construction, we suggest a new assumption that is stated in terms of uninvertibility rather than indistinguishability. The assumption strengthens the assumption made by Wee [Wee05] to account for auxiliary inputs. Roughly, to construct (non auxiliary input) POs, Wee assumes a strong one-way permutation f that is uninvertible w.r.t to all well-spread distributions. A natural extension of the latter to the auxiliary input setting is to assume that the permutation is hard to invert, even given side information Z on the pre-image Y, from which Y cannot be predicted. An additional fact used by Wee is that permutations inherently preserve (information-theoretic) entropy; in particular, if Y is well-spread, so is f(y ). In the (computational) auxiliary input setting, this might not be true; namely, it might be that Y is unpredictable from Z, while f(y ) is predictable from Z. One possible way to deal with this issue is to assume a trapdoor permutation family (with the above strong uninvertibility). In Section 2.3, we show a more general (or weaker) assumption and a corresponding construction of AIPOs. We remark that both the assumptions we consider (or any assumption that states that a specific obfuscation candidate is an AIPO satisfying either a the worst-case or the distributive security definition) are considered to be non-standard. In particular, any such assumption is non-falsifiable in the terms of Naor [Nao03]. For example, to falsify the the distributive AIPO definition, one has to come up not only with a distinguisher but also with an unpredictable distribution and a proof of its unpredictability. Comparison with previous work on 3-round ZK. As already mentioned, it is known how to construct 3-round ZK arguments and proofs using non-falsifiable knowledge assumptions, such as KEA [HT98, BP04], the POK assumption [LM01], or the existence of extractable perfect one-way functions (EPOWF)[CD09]. The KEA assumption [Dam91], essentially asserts that any algorithm that produces a DDH tuple, must know the corresponding exponents.upon the formulation of KEA, [Dam91] raised a more general question regarding the existence of sparse range one way functions, such that any algorithm that can sample an element within the function s range, must also know a primage (KEA indeed yields such a OWF). The EPOWF primitive of [CD09] formalizes this generalization. All in all, all the above assumptions essentially fall under the abstract notion of EPOWF. (Indeed, [CD09] show that either one of the KEA or the POK assumptions imply the EPOWF primitive, when combined with a hardness assumption such as DDH.) In this work we show how to circumvent the black-box impossibility results for 3-round WZK and WH based on a different set of primitives; namely (variants of) point obfuscation with auxiliary input. At this point, we do not know of any formal relation between the AIPO and EPOWF primitives, beyond the relation established in this work (through 3-round ZK). We find that formalizing such a relation is an interesting question on its own (going beyond the scope of 3-round ZK). Coming up with different assumptions (even non falsifiable ones) that can be used to overcome known black-box bounds opens up new directions for overcoming these bounds. In this case, we show that the research of AIPO can also be instrumental for the attempts to overcome black-box impossibility results for 3-round WZK and WH. Finally, we consider the techniques in use. Unlike previous works, our work demonstrates a direct WH construction that is not based on a ZK protocol. We then strengthen it to a limited form of ZK. Our WH to WZK transformation is specifically tailored for our construction. An interesting open question is whether a general transformation of this type exists. 1 Both [Can97, DKL09], make use of a slightly different formulation for the distributional AIPO requirement. Their formulation is essentially equivalent to ours. 5

8 On the efficiency of the construction. We note that basing our constructions on 2-party secure function evaluation (using Yao s garbled circuit technique) results in efficient protocols with a practical implementation (similarly to [IKOS07]). By working directly with the verification circuit Ver L, we avoid the overhead of Karp reducions most existing 3-round ZK IA. Specifically, using existing constructions for the relevant primitives, we can achieve communication complexity O(ns), where n is the security parameter and s is the size of Ver L. This is not optimal as there exist ZK argument with polylog communication complexity [Kil92]. However, these require using PCP techniques, making them impractical. 2 Definitions and Tools 2.1 Weak Zero-Knowledge and Witness Hiding We consider interactive argument systems for NP languages L with a corresponding witness relation R L. Each system consists of a pair of PPT prover and verifier algorithms (P, V). We require that all our protocols satisfy: Perfect completeness. For any (x, w) R L : Pr[(P(w), V)(x) = 1] = 1. Negligible soundness error. For any poly-size prover strategy P, any large enough n, and any x {0, 1} n \ L: Pr[(P, V)(x) = 1] negl(n). We say that the system is a proof (rather than an argument) if it is also sound against provers of unbounded size. We also consider the following notion of proof of knowledge: an interactive proof (P, V) is a proof of knowledge (POK) if there exist an oracle machine E s.t. for every prover strategy P, for every long enough x L and every polynomial p, if Pr[(P, V)(x) = 1] p( x ) then E P (x) R L (x) and the expected running time of E P (x) is polynomial in 1/p( x ). In this work we discuss two relaxations of ZK which are formalized next. Weak zero-knowledge. In ZK we require that the view of any verifier V in an interaction with the honest prover P can be simulated by an efficient simulator S. The simulated view should be indistinguishable from the view of V for any poly-size distinguisher. In weak ZK (WZK), the simulator is only required to output a view that is indistinguishable from that of V for a specific distinguisher. This is modeled by supplying the simulator with the distinguisher circuit as additional auxiliary input. Definition 2.1 (Weak zero-knowledge). The argument system (P, V) is WZK if for every PPT verifier V there exist a PPT simulator S such that for every poly-size circuit family of distinguishers D = {D n } n N and any x L {0, 1} n, w R L (x), z {0, 1} poly(n) it holds that: Pr[D n ((P(w), V (z))(x)) = 1] Pr[D n (S(D n, x, z)) = 1] negl(n). Witness-hiding. A protocol is WH if the verifier cannot fully learn a witness from its interaction with P. This requirement is restricted to instances and witnesses (x, w) sampled from hard distributions. Definition 2.2 (Hard distribution). Let D = {D n } n N be an efficiently samplable distribution ensemble on R L, i.e. Supp(D n ) = {(x, w) : x L {0, 1} n, w R L (x)}. We say that D is hard if for any poly-size circuit family {C n } and sufficiently large n it holds that: Pr (x,w) Dn R L [C n (x) R L (x)] negl(n). 6

9 Definition 2.3 (D-witness-hiding). An argument system (P, V) for an NP language L is WH w.r.t to a hard distribution D = {D n } n N, if for any poly-size verifier V and all large enough n N: Pr [(P(w), V )(x) R L (x)] negl(n). (x,w) D n We say that (P, V) is WH if it is WH w.r.t to a every hard distribution. As discussed in the introduction, in this work we will be interested in WH protocols (w.r.t to a every hard distribution), and not with protocols that are WH w.r.t to a specific hard distribution Message Delegation A central tool used in our constructions is a 2-message delegation protocol in which the prover and verifier jointly evaluate the NP verification circuit of the language on the common instance and the prover s witness. We use this primitive (following the formulation in [IP07]) to abstract the use of Yao s garbled circuit construction. A 2-message delegation protocol is executed by parties (A, B), where A has an input x, and B has as input a function f (given by a boolean circuit). The protocol should allow A to obtain f(x) using two messages: A B A, and without compromising the input secrecy of either party. We additionally require that, given B s message and secret randomness, one can reconstruct f. The protocol is defined by a tuple of algorithms (Gen, Enc, Eval, Dec, Open) and proceeds as follows: A: Obtains a key sk Gen(1 n ), computes an encryption of its input c Enc(sk, x), and sends c. B: Computes an encrypted output ĉ Eval(c, f) using randomness r, and sends back ĉ. A: Outputs y = Dec(sk, ĉ). Definition 2.4 (Secure 2-message delegation). a protocol (Gen, Enc, Eval, Dec, Open) is a secure 2- message delegation protocol if for every ensemble C = {C n } n N of poly-size circuits, where each C C n has input length n, the following requirements hold: Correctness: For all n N, x {0, 1} n and C C n, the following procedure outputs C(x) with probability 1: Obtain sk Gen(1 n ). Compute c Enc(sk, x). Compute ĉ Eval(c, C). Output Dec(sk, ĉ). Input Hiding: For any poly-size D, the probability that D wins the following game is at most 1/2 + negl(n): On 1 n, D submits a pair of strings x 0, x 1 {0, 1} n. Sample sk Gen(1 n ). For a random bit b R {0, 1}, compute c Enc(sk, x b ) and give c to D. D outputs a guess b and wins if b = b. 7

10 Function Hiding: A randomized evaluation should not leak information on the input circuit C. This should hold even when A is malicious and sends an arbitrary first message. Formally, let E(x) = Supp(Enc(, x)) be the set of all legal encryptions of x, and let E n = x {0,1} ne(x) be the set legal encryptions for strings of length n. Then there exist a PPT simulator S such that: {C, Eval(c, C)} n N,C C n x {0,1} n,c E(x) c {C, S(c, C(x))} n N,C C n x {0,1} n,c E(x) {C, Eval(c, C)} n N c {C, S(c, )} n N. (2) C C n,c/ E n C C n,c/ E n Function Binding: We require that, given the result ĉ of evaluating C on an encrypted input and the randomness r used by Eval, one can efficiently reconstruct C. The bind should also hold against a malicious evaluator B: 1. For all n N, x {0, 1} n, C C n, the following procedure outputs C with probability 1: Obtain sk Gen(1 n ). Compute c Enc(sk, x). Compute ĉ Eval(c, C) using randomness r to Eval. Output Open(ĉ, r). 2. For any ĉ {0, 1} there is at most one value of r s.t. Open(ĉ, r) Remarks on Definition The function-binding property is required in our construction of WZK IA. While function-binding is not required in common formulations of delegation protocols, we show that a Yao-based construction (when instantiated with natural forms encryption) has this property. 2. To get WH proofs (rather than arguments), we use a slightly stronger variant where the functionhiding is information-theoretic (and not computational). In this case, we no longer require the delegation protocol to be function-binding (as in standard commitments, the two properties cannot coexist). 3. The security definition presented is weaker than the standard definition of secure function evaluation. Specifically, if the evaluating party B is malicious we can not fully simulate. 4. The definition of function-hiding does not require that the simulator knows whether the encryption ĉ is valid or not. In our case, this will be sufficient; specifically, we shall utilize the simulator for circuits the output on all inputs and S(c, ) will correctly simulate the garbled circuit whether c is a valid encryption or not. Instantiating the 2-message delegation scheme. We describe how to implement a 2-message delegation scheme using Yao s garbled circuit technique and 2-message OT. We require a 2-message OT scheme, with the following security guarantee: 1. Computational security for the receiver: for every two inputs, the receiver s messages are computationally indistinguishable. 2. Information-theoretic security for the sender: the view of every receiver can be simulated in an information-theoretic way by a (possibly unbounded) simulator interacting with the ideal OT functionality. (1) 8

11 We will use the OT scheme of [NP01] that satisfy this security requirement under the DDH assumption. A description of Yao s garbled circuit construction can be found in [LP09]. Gen: Simply outputs as sk random coins for the OT receiver. Enc: Use the randomness string sk to generate and output the receiver s message of the OT, where the choice bits correspond to the bits of the input value x. Eval: Generate a garbled universal circuit Û taking as input a description of the circuit C and another input x for C and outputs C(x). Output the garbled circuit Û, the labels of the input wires describing the input circuit C, and the OT sender s message encoding the labels of the input wires received from A. Dec. Use sk to obtain the labels for the input wires corresponding to x (from the OT sender-message); evaluate the garbled circuit and obtain the result. Open. Given the randomness used to garble the circuit Û, open all the gates of the garble circuit; reveal and output the values of the inputs wires encoding C. For this we require that the underlying encryption scheme for Yao s protocol is committing; namely, any cipher should informationtheoretically determine the plaintext (even without the secret key). The details of the security proof for the function hiding property of the scheme in the semi-honest case are similar to [CCKM00]. By using an OT scheme that is secure against malicious senders, we can show that the function hiding property of the construction holds also in the malicious case. Informally, if a malicious A sends a malformed first message, the security of the OT guaranties that it will learn nothing about the values of the input wires to the garbled circuit. Together with the security of the garbled circuit it follows that the message sent by B can be simulated independently of A s first message. The function binding property follows directly from the fact that the underlying encryption scheme for the garbled circuit is committing. Instantiating the 2-message delegation protocol with perfect function hiding. We showed how to construct a 2-message delegation protocol using Yao s garbled circuit. Note that the OT scheme used ([NP01]) is also secure against unbounded receivers. We can use an information-theoretic variant of Yao s garbled circuit in a similar way to get a 2-message delegation protocol with perfect functionhiding for NC 1 circuits. A description of an information-theoretic variant can be found in [IK02]. As mentioned above, this variant will be used in order to construct IP rather than IA. 2.3 Point Obfuscation with Auxiliary Input We start by recalling the standard definition for circuit obfuscation with auxiliary input. The definition is a worst-case definitions in the sense that simulation must hold for any circuit in the family and any related auxiliary input. Definition 2.5 (Worst-case obfuscator with auxiliary input [BGI + 01, GK05]). A PPT O is an obfuscator with auxiliary input for an ensemble C = {C n } n N of families of poly-size circuits if it satisfies: Functionality. For any n N, C C n, O(C) is a circuit which computes the same function as C. Polynomial slowdown. For any n N, C C n, O(C) poly( C ). Virtual black box. For any PPT adversary A there is a PPT simulator S such that for all sufficiently large n N, C C n and z {0, 1} poly(n) : Pr[A(z, O(C)) = 1] Pr[S C (z, 1 C ) = 1] negl(n), where the probability is taken over the coins of A, S and O. 9

12 An obfuscator O is recognizable if given a program C and an alleged obfuscation of C, C, it is easy to verify that C and C compute the same function. Recognizability. There exist a polynomial time recognition algorithm V such that for any C C n : Pr O [V(C, O(C)) = 1] = 1 For any C {0, 1} poly(n) if V(C, C) = 1 then C and C compute the same function. Point obfuscation. We consider obfuscation of point circuits and their extensions. A point circuit I s outputs 1 on string s and on all other inputs. Definition 2.6 (Worst-Case auxiliary-input point obfuscation (AIPO)). A PPT algorithm O is a worstcase AIPO if it is a recognizable obfuscator (according to Definition 2.5) for the following circuit ensemble: C = {C n = {I s s {0, 1} n }} n N Remark 2.1. The notion of recognizable obfuscation was not explicitly defined in previous works. We only consider this property in the context of point obfuscation. While, in general, point obfuscators are not required to be recognizable, previously constructed obfuscators [Can97, Wee05] are trivially recognizable. This is due to the fact that they use public randomness, i.e. the randomness used by the obfuscator appears in the clear as part of the obfuscated circuit. The recognition algorithm, given a program and its obfuscation, can simply rerun the obfuscation algorithm with the public randomness and compare the result to the obfuscation in hand. We next present a weaker distributional definition for point obfuscation with auxiliary input that previously appeared in [Can97] (in a slightly different formulation). We first give a preliminary definition of unpredictable distributions (generalizing Definition 2.2) and then present the obfuscation definition. Definition 2.7 (Unpredictable distribution). A distribution ensemble D = {D n = (Z n, Y n )} n N, on pairs of strings is unpredictable if no poly-size circuit family can predict Y n from Z n. That is, for every poly-size circuit family {C n } n N and for all large enough n: Pr [C n (z) = y] negl(n). (z,y) D n Definition 2.8 (Auxiliary input point obfuscation for unpredictable distributions (AIPO)). A PPT algorithm O is a point obfuscator for unpredictable distributions if it satisfies the functionality and polynomial slowdown requirements as in Definition 2.5, and the following secrecy property. For any unpredictable distribution D = {D n = (Z n, Y n )} over {0, 1} poly(n) {0, 1} n it holds that: {z, O(y) : (z, y) D n } n N c {z, O(u) : z Z n, u U {0, 1} n} n N. Remark 2.2. Using this definition in our WH construction, we can settle for a slightly relaxed definition with bounded auxiliary input; namely Y n = ω( Z n ). We do not know if such a bounded form of auxiliary-input indeed weakens the requirement. However, it does seem to withstand certain diagonalization attacks that can be performed for the non-restrictive. AIPO constructions. Following are two constructions of AIPOs based on two different assumptions. We recall the construction of [Can97]. Then, we describe a modification of the construction in [?] that yields AIPOs given a new assumption that strengthens Wee s original assumption. Construction 2.1 (The r, r x point obfuscator [Can97]). Let G = {G n } n N be a group ensemble, where each G n is a group of prime order p n (2 n 1, 2 n ). We define an obfuscator, O, for points in the domain O Z pn as follows: I x C(r, r x ), where r U G n is a random generator of G n, and C(r, r x ) is a circuit which on input i, checks whether r x = r i. 10

13 [Can97] considers a strong variant of the DDH assumption implying that the (r, r x ) obfuscator is an AIPO satisfying Definition 2.8. The assumption essentially states there exist an ensemble of prime order groups G = {G n : G n = p n } such that for any unpredictable distribution D = (Z n, X n ) with support {0, 1} poly(n) Z pn, it holds that that (z, r, r x ) c (z, r, r u ) where (z, x) (Z n, X n ), u U Z pn and r is a random generator of G n. Candidate group ensembles include any ensemble where standard DDH is assumed to hold, e.g. quadratic residues modulo a prime, or elliptic curves groups. We note that Construction 2.1 also satisfies the recognizability requirement given in Definition 2.5. Indeed, the recognition algorithm V(I x, C), simply checks whether C is of the form C(g, h), and that g x = h (here g is the public randomness used in the obfuscation). The second construction is based on a new assumption that strengthens the assumption of Wee [Wee05] to account for auxiliary inputs. As explained in the introduction the natural extension of Wee s assumption to auxiliary input is insufficient as is. Instead, we make the following assumption and augment Wee s original construction. Assumption 2.1. There exists an ensemble of permutation families F = {F n = {f}} such that for any unpredictable distribution ensemble D = {D n = (Z n, Y n )}, the following two distribution ensembles are also unpredictable: ((Z n, f(y n ), f); Y n ) ((Z n, f); f(y n )), where in both f U F n (independently of D n ). We remark that the first property naturally generalizes Wee s assumption regarding strong uninvertibility; in particular, when Z is empty and Y is simply well-spread the assumption coincides with Wee s. The second property essentially guarantees that f(y ) is unpredictable from Z just as Y is; In Wee s assumption (where Z is empty and Y is well-spread) this is inherently guaranteed by the fact that permutations preserve information-theoretic entropy. We note that the second part of the assumption has a flavor of weak extractability; still, it appears to be significantly weaker than the sparse-range extractability discussed in the introduction. We also note that any trapdoor permutation family would inherently imply the second part of the assumption; hence, it suffices to have trapdoor permutations that satisfy the strong uninvertibility (first part of the assumption). Construction 2.2. Let F be a family of permutations given by Assumption 2.1. The obfuscator O works as follows: given a point y {0, 1} n, O samples 3n permutations {f i } i [3n] from F n, and 3n strings {r i } i [3n] from {0, 1} n. For every i [3n], let f i = f i f i 1 f 1 (where denotes composition). O outputs a circuit C y that has hardcoded into it the randomness of O, {f i, r i } i [3n] and the bits { b i = r i, f i (y) } i [3n], where.,. denotes the inner product in F 2. C y outputs 1 on a point x if i [3n] : b i = r i, f i (x) ; otherwise, C y outputs 0. The proof of security follows similar ideas to the proof in Wee, we defer the details to a later extended version of this work. 2.4 Digital Lockers and Circular Digital Lockers We also consider obfuscation of several extensions of point circuits. Specifically, multibit point circuits and circular point circuits. A multibit point circuit I s t outputs t on s and otherwise. A circular Point circuit I s t outputs t on input s, s on input t, and otherwise. Obfuscators satisfying the worst-case AIPO definition (Definition 2.6) for multibit point circuits and circular point circuits are called digital lockers (DLs) and circular digital lockers (CDLs). 11

14 Definition 2.9 (Digital locker (DL)). A PPT algorithm is a DL if it is a recognizable obfuscator (according to Definition 2.5) for the following circuit ensemble: C = {C n = {I s t s, t {0, 1} n }} n N Definition 2.10 (Circular digital locker (CDL)). A PPT algorithm is a CDL if it a recognizable obfuscator (according to Definition 2.5) for the following circuit ensemble: C = {C n = {I s t s, t {0, 1} n }} n N Remark 2.3. We note that the security under circularity feature is inherently provided by the strong obfuscation guarantees, was already considered in previous work for constructing strong encryption schemes which withstand key dependent messages and related keys attacks [CKVW10, BC10]. While AIPOs are sufficient for our WH protocol, our WZK protocol requires DLs and CDLs. We now explain how these can be constructed based on a worst-case AIP O that satisfy the additional property of composability. Definition 2.11 (Composable obfuscation [LPS04]). A PPT O is a t-composable obfuscator for a circuit ensemble C = {C n } if for any PPT adversary A, there is a PPT simulator S, such that for any sufficiently large n, any sequence of circuits C 1,..., C t C n (where t = poly(n)) and auxiliary input z {0, 1} poly(n) : Pr[A(z, O(C 1 ),..., O(C t )) = 1] Pr[S C1,...,C t (z, 1 C1,..., 1 Ct ) = 1] negl(n), where C 1,..., C t gets as input (x, i) and returns C i (x). Composable point obfuscators yield a natural construction of DLs[CD08]. Construction 2.3 (Digital lockers). Let O be a point obfuscator. Define a PPT DL for point circuits with n-bit output as follows. For a point x {0, 1} n and output y = y 1 y 2... y n {0, 1} n, choose a random u {0, 1} n {x} and define ā = (a 0, a 1,..., a n ) as follows. a 0 = x, and for any i [n] a i = x if y i = 1 and a i = u otherwise. The output of the obfuscator is: DL(I x y ) = C(O(C a0 ),..., O(C an )), where C is a circuit which performs as follows. On input z, it first checks whether z = a 0 = x (using the first point circuit). If it does not, it returns. Otherwise, it finds all other coordinates such that a i = z = x and outputs y 1... y n, where y i = 1 if a i = z = x and 0 otherwise. Proposition 2.1 ([CD08]). If O is an (n + 1)-composable worst-case AIPO then DL (given by Construction 2.3) is a digital locker. Proof. The proof of the functionality, polynomial slow down, and virtual black box properties of DL, appears in [CD08]. It is left to prove that DL is recognizable. Let V O be the recognition algorithm for (the single-bit output) O. We construct a recognition algorithm V DL for DL. V DL is given a program I s t and an obfuscated circuit C. First, V DL verifies that the format of C is correct; i.e., that C contains n+1 circuits Õ0,..., Õn and performs according to Construction 2.3 (we assume that a legal obfuscation always have the same canonical form). If this is the case, it checks whether V O (I s, Õ0) = 1, if so it checks that C(s) = t. In case any of the above checks fails, it outputs ; otherwise, it outputs 1. Note that while V DL might output 1 on circuits that are not a proper obfuscation (for example the circuits Õi corresponding to 0 might encode different points, rather than the same u, or even not be point circuits). However, it is guaranteed that C has the same functionality as I s t. Construction 2.4 (Circular digital lockers). Given DL specified by Construction 2.3, define a PPT CDL that on input points s, t {0, 1} n outputs the following circuit: CDL(I s t ) = C(DL(I s t ), DL(I t s )), where C is a circuit that returns if both DLs output and otherwise it the output of the DL that does not output. 12

15 Proposition 2.2. If O is an (2n+2)-composable worst-case AIPO then CDL (given by Construction 2.4) is a circular digital locker. Proof. It follows directly from the construction that CDL satisfies the functionality and polynomial slow down properties. We show that CDL satisfies the virtual black box property. Let A be an adversary that is given a circuit CDL as input. This CDL contains a pair of DLs constructed from O according to Construction 2.3. In [CD08] it is shown that if O is 2(n + 1)-composable, the pair of DLs are 2- composable and therefore there exist a simulator S such that for all sufficiently large n N, every s, t {0, 1} n and z {0, 1} poly(n) : Pr[A(z, O(I s t )) = 1] Pr[S Is t,it s (z, 1 n ) = 1] negl(n) Now we transform S to be the obfuscation simulator for A by answering all queries S makes to the pair of oracles I s t, I t s using the single oracle I s t. It is left to prove that CDL is recognizable. Let V DL be the recognition algorithm for the underlying DL. Given a program I s t and an obfuscated circuit C, the recognition algorithm for the CDL will simply verify that C is correctly composed of two DLs and use V DL to verify that these DLs have the same functionality as I s t, I t s. 3 3-round WH 3.1 Overview of the Protocol As a warmup consider first the following unsound protocol: To prove an NP statement x L, the prover P and verifier V first engage in a 2-message delegation protocol where P s (secret) input is the witness w and V s input function is the NP verification circuit Ver L,x. P obtains the result Ver L,x (w) and sends it to V. This is unsound since a cheating prover can always send 1 as it s last message. To make the protocol sound, we augment it as follows. Let Ver y L,x be a circuit which outputs y on valid witnesses and otherwise. Now, V will choose a secret string y R {0, 1} n, and use the circuit Ver y L,x as its secret input in the delegation protocol. In order to convince V of the statement, P should send back y. Indeed, in case x / L we have Ver y L,x, and hence the function hiding property of the delegation protocol assures that P does not learn the random y. However, this protocol is not witness hiding. Indeed, a cheating verifier can try to obtain w by maliciously choosing its input function. For instance, choosing the function to be the identity results in the prover sending back w. A natural approach towards fixing the latter problem would be to have the verifier prove it behaved honestly, without revealing its secret. In other words, it should give a round-efficient witness-hiding proof, which is what we set out to do to begin with. Thus, we take a different approach. We note that an honest verifier that knows y should only be able to verify that the prover knows it as well; hence, it suffices to have the prover send a point obfuscation of y, instead of sending y in the clear. The security of the obfuscation would then guarantee that any information that the verifier learns on w could also be learned (with noticeable probability) without the obfuscation. The protocol. Let DEL = (Gen, Enc, Eval, Dec, Open) be a secure 2-message delegation protocol and let O be a point obfuscator for unpredictable distributions (AIPO) with recognition algorithm V. The protocol is given by Figure 1. Theorem 3.1. Let DEL be a secure 2-message delegation protocol, and let O be an AIPO. Protocol 1 is a WH IA. 13